I find steam guard 2fa enabling process not so secure

모든 토론 > Steam 포럼 > Steam Discussions > 제목 정보

6005122851162932 2022년 10월 12일 오후 6시 42분

I want to enable steam 2fa.

This is how it's done in 99% of cases in all other 2fa-requiring programs and webpages:
1) get 2fa code without the need to install something else somewhere else.
2) enter 2fa code into auth.app. Usually it's Google Authenticator, but there are a lot of other open source apps which can generate 2fa codes, because it's always the same 2fa algorithm proven by years and millions of users.
3) password is still safe, I didn't had to enter it elsewhere. Plus I have 2fa security on top. All good.

But this is what I have to go through in Steam. I haven't even done it yet, it's just a result of research so far.
1) download one more unnecessary mobile app (steam app)
2) enter login and password on one more device (mobile), which lowers security. Mobile phones are full of spyware installed from store, except maybe Apple with their strict developer checks. But then you get Apple's always watching keylogger so it's still not great.
3) finally activate 2fa in steam mobile app
4) I literally don't need steam mobile app for anything except enabling 2fa. So, spend eternity to find some rare open source project which can generate steam 2fa codes, because usual auth apps will not work because steam's 2fa is different from global standard.
5) I don't want to keep mobile app logged in into my account. I just need it to enable 2fa and then logout from the steam app and uninstall it forever. And generate 2fa codes in some good trusted app tested and trusted by millions of people. I don't want my entire account security to be tied to mobile phone which can be easily lost or stolen.
5) so, add steam's 2fa code into other app, uninstall steam mobile app
6) change password, because it's probably compromised after typing it into mobile

I just want to secure my account by enabling 2fa, and generate codes on another secure trusted device. Why do I have to actually compromise account security if I want to do that?
Why is there no option is Steam PC version to activate global standard 2fa and to use any other trusted 2fa app to generate codes?

< >

35개 댓글 중 31-35개 표시

Léon Scarlet 2022년 10월 14일 오전 10시 14분

i found the QR code login not secure

#31

Steven Seagull 2022년 10월 14일 오전 10시 34분

Shadowi님이 먼저 게시:
but my steam mobile app keeps generating valid codes even while logged out.

Did you have to type in your Steam password onto your mobile any time before logging out?
Because at that point your password might have been already compromised.

Can you install the app, not typing in your Steam password and somehow still getting valid codes?

#32

Black Blade 2022년 10월 16일 오전 12시 48분

Steven Seagull님이 먼저 게시:
These tools can be stolen as it happened before. Search for the Italian hacking firm called Hacking Team. When these tools which were developed for millions of dollars fall in hands of anybody, that's a different case. When such tools become public knowledge anyone can use it for anything. There were tools created by the NSA but stolen by someone and they made it public. Then someone weaponized it and I think you remember when ransomwares got really popular and the news were full of them. That was due to NSA couldn't keep their cyberweapons in house... Search for EternalBlue.

These tools/cyberweapons can become public knowledge, or you can buy them for a small fee on the dark web and create your own ransomware, or if you'd like, a Steam account stealer, if you want to.

Ransomware become popular I think regardless of something from the NSA showing up, most of the ransomware did not do anything more than normal and common phishing dose and some system-related stuff, which are all normal things

Besides, again if it is stolen, honestly you got more important things to worry about, and it should be patched up pretty fast on the devices then

Also once again think about what is really suggested here
The tools you suggest do hardware or basic phone-related stuff, like reading SMS (something the software for SMS is built for same with phone calls logs, and phone)
And using a camera and so on
To be able to do things on the pre-approved app they need to open the app (most likely possible) but then navigate it, which is most likely problematic to do and all this while there better target to attack while the window is open, that will not be all that long

I do agree with allowing you to logout or maybe completely separate Steam-related and Steam Guard, but saying stuff like it being this big danger is... kind of too far I think

#33

Steven Seagull 2022년 10월 16일 오전 11시 28분

Black Blade님이 먼저 게시:
To be able to do things on the pre-approved app they need to open the app (most likely possible) but then navigate it, which is most likely problematic to do and all this while there better target to attack while the window is open, that will not be all that long

No, it doesn't work like that. The attackers will have direct memory access, they can just read out whatever they want. Or change the e-mail address or change anything. They don't have to use the user interface...

#34

T9 2022년 10월 21일 오후 10시 52분

Zefar님이 먼저 게시:
Steven Seagull님이 먼저 게시:
Wrong. The criminal only has to do one thing: send you an SMS. Yes, it can be enough to just send an SMS to a phone and then you can see everything what is on the phone and do everything what the phone owner can do, but in stealth mode so it isn't even visible to the user. Search for the Pegasus malware for example. It is just one malware from the past.
Or you just have to open a webpage and with CPU vulnerabilites like Spectre v2 they can read everything from your phone. These are things happened already in the past, but in the future these can happen again. Just search for the term zero click RCE (remote code execution).

Even if these are rare it doesn't change the fact that Steam's 2FA is broken and not secure.

Read up on it and it seems to be used a certain group of people only. Android and Apple are patching the exploits as they find them.

So this is not going to happen to anyone who has a Steam account.

Steams 2FA is not broken or insecure. The old code it generate and you can still generate that code, it's easier to steal with such maleware than scanning a QR code with the phones camera.
They should get rid of the code entirely because gullible people on Discord keep giving it away to others. It'd be much harder to scam the scammers QR code.

I tried QR via Steam app a dozen times and I couldn't get in lol
No idea why but it just doesn't work. Would be awesome to be permanently locked out (no codes)

#35

< >

35개 댓글 중 31-35개 표시

페이지당 표시 개수: 1530 50

모든 토론 > Steam 포럼 > Steam Discussions > 제목 정보

게시된 날짜: 2022년 10월 12일 오후 6시 42분

게시글: 35

새로운 토론 시작

토론 규칙 및 지침

게시글 신고